Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

easyrsa_openssl(): Always export $OPENSSL_CONF as $EASYRSA_SSL_CONF #1150

Merged
merged 3 commits into from
May 29, 2024

Conversation

TinCanTech
Copy link
Collaborator

The problem was that easyrsa_openssl() would select an SSL config file based on the existence of the $EASYRSA_SAFE_CONF file. This caused the selector to ignore a newer $EASYRSA_SSL_CONF file.

This only occurs: 1. During build_full(), when gen_req() and sign_req() are chained together, instead of being separate instnces. Combined with
2. When using LibreSSL, which requires expansion of the SSL config file.

This change forces easyrsa_openssl() to only ever set $OPENSSL_CONF to $EASYRSA_SSL_CONF, ignoring the safe config file.

Use of the safe config file $EASYRSA_SAFE_CONF is now completely removed.

Also includes verbose diagnostic information.

The problem was that easyrsa_openssl() would select an SSL config file
based on the existence of the $EASYRSA_SAFE_CONF file. This caused the
selector to ignore a newer $EASYRSA_SSL_CONF file.

This only occurs: 1. During build_full(), when gen_req() and sign_req()
are chained together, instead of being separate instnces. Combined with
2. When using LibreSSL, which requires expansion of the SSL config file.

This change forces easyrsa_openssl() to only ever set $OPENSSL_CONF to
$EASYRSA_SSL_CONF, ignoring the safe config file.

Use of the safe config file $EASYRSA_SAFE_CONF is now completely removed.

Also includes verbose diagnostic information.

Signed-off-by: Richard T Bonhomme <[email protected]>
This resets the SSL config file to beginning of an instantiation.

Allow built-in SSL config file to be initially created as either
unexpanded (OpenSSL) or expanded (LibreSSL)

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented May 28, 2024

The reason that b015eec failed is:

  1. The file passed to source_vars() contains export, called by escape_hazard()
  2. escape_hazard() is called because openssl-easyrsa.cnf is not recognised by hash.
  3. openssl-easyrsa.cnf is not recognised because Windows version uses CRLF, not LF.

House of cards; on the edge of a cliff; in a stiff breeze; what could go wrong .. ?

The reason that this did not occur before is down to the code logic that this PR is addressing. This fallout is somewhat expected and good to resolve.

By not adding Windows hashes for openssl-easyrsa.cnf, Windows can continue to test the old expansion mechanism. Although, a *nix based unit-test would be preferable ..

nix test added via #1151

@TinCanTech TinCanTech merged commit 90438e8 into OpenVPN:master May 29, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

LibreSSL: build-*-full uses an incorrect SSL config file
1 participant